Heap Buffer Overflow in spell file loading affects Vim < 9.2.0450
=================================================================
Date: 07.05.2026
Severity: Medium
CVE: *requested, not yet assigned*
CWE: Integer Overflow or Wraparound (CWE-190) leading to Heap-based Buffer
Overflow (CWE-122)
## Summary
A heap buffer overflow exists in `read_compound()` in `src/spellfile.c`
when loading a crafted spell file (`.spl`) with UTF-8 encoding active.
An attacker-controlled length field in the spell file's compound section
overflows a 32-bit signed integer multiplication, causing a small buffer
to be allocated for a write loop that runs many iterations, overflowing
the heap. Because the `'spelllang'` option can be set from a modeline,
a text file modeline can trigger spell file loading if a malicious
`.spl` file has been planted on the runtimepath.
## Description
In `read_compound()` (`src/spellfile.c`), the buffer size for the regex
pattern `pat` is computed from the attacker-controlled `sectionlen`
field of an `SN_COMPOUND` section. Both `todo` and the size variable
`c` are declared as `int`:
c = todo * 2 + 7;
if (enc_utf8)
c += todo * 2;
pat = alloc(c);
When `todo` is sufficiently large (e.g. `0x40000005`), the multiplication
`todo * 4 + 7` overflows the 32-bit signed integer and wraps to a small
positive value (e.g. 27). `alloc(27)` succeeds, but the subsequent loop
iterates `todo` (~1 billion) times, writing bytes into the 27-byte
buffer and corrupting adjacent heap memory.
The overflow only manifests when UTF-8 encoding is active (`enc_utf8`).
Without it, the intermediate value remains negative, sign-extends to a
huge `size_t`, and `alloc()` returns NULL harmlessly. UTF-8 is the
default on virtually all modern Linux and macOS systems.
A modeline in an unrelated text file can set `'spelllang'` and enable
`'spell'`, causing Vim to load a spell file under the attacker's control
if one has been planted on the runtimepath (e.g. `~/.vim/spell/`).
## Impact
The vulnerability allows a heap buffer overflow of approximately 75
bytes with partially attacker-controlled content when Vim loads a
crafted spell file under UTF-8 encoding. The practical impact is a
crash of the Vim process (denial of service).
Exploitation requires a malicious `.spl` file to be present on the
runtimepath and the victim to either:
- explicitly enable spell checking with the matching language, or
- open any text file containing a modeline that sets `'spelllang'`
and enables `'spell'`, while `'modeline'` is enabled.
The severity is rated Medium because exploitation requires both a
planted spell file and a separate triggering action by the victim, and
the practical outcome is a crash rather than code execution.
## Acknowledgements
The Vim project would like to thank Daniel Cervera (@daniel-msft) of
Microsoft Security Engineering for reporting and analyzing the issue and
suggesting a fix.
## References
The issue has been fixed as of Vim patch
[v9.2.0450](https://github.com/vim/vim/releases/tag/v9.2.0450).
-
[Commit](https://github.com/vim/vim/commit/92993329178cb1f72d700fff45ca86e1c2d369f8)
- [Github Security
Advisory](https://github.com/vim/vim/security/advisories/GHSA-q4jv-r9gj-6cwv)
Best,
Christian
--
Man soll die Wahrheit mehr als sich selbst lieben, aber seinen
Nächsten mehr als die Wahrheit.
-- Romain Rolland
